CA2118493A1 - Fair cryptosystems and methods of use - Google Patents
Fair cryptosystems and methods of useInfo
- Publication number
- CA2118493A1 CA2118493A1 CA002118493A CA2118493A CA2118493A1 CA 2118493 A1 CA2118493 A1 CA 2118493A1 CA 002118493 A CA002118493 A CA 002118493A CA 2118493 A CA2118493 A CA 2118493A CA 2118493 A1 CA2118493 A1 CA 2118493A1
- Authority
- CA
- Canada
- Prior art keywords
- user
- key
- secret key
- trustees
- trustee
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/02—Payment architectures, schemes or protocols involving a neutral party, e.g. certification authority, notary or trusted third party [TTP]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3829—Payment protocols; Details thereof insuring higher security of transaction involving key management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/389—Keeping log of transactions for guaranteeing non-repudiation of a transaction
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/403—Solvency checks
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F17/00—Coin-freed apparatus for hiring articles; Coin-freed facilities or services
- G07F17/32—Coin-freed apparatus for hiring articles; Coin-freed facilities or services for games, toys, sports, or amusements
- G07F17/3241—Security aspects of a gaming system, e.g. detecting cheating, device integrity, surveillance
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
- G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
- G07F7/10—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
- G07F7/1016—Devices or methods for securing the PIN and other transaction-data, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04K—SECRET COMMUNICATION; JAMMING OF COMMUNICATION
- H04K1/00—Secret communication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
Abstract
FAIR CRYPTOSYSTEMS AND METHODS OF USE
ABSTRACT OF THE DISCLOSURE
A method, using a public-key cryptosystem, for enabling a predetermined entity to monitor communications of users suspected of unlawful activities while protecting the privacy of law-abiding users, wherein each user is assigned a pair of matching secret and public keys. According to the method, each user's secret key is broken into shares. Then, each user provides a plurality of "trustees" pieces of information. The pieces of information provided to each trustee enable that trustee to verify that such information includes a "share" of a secret key of some given public key. Each trustee can verify that the pieces of information provided include a share of the secret key without interaction with any other trustee or by sending messages to the user. Upon a predetermined request or condition, e.g., a court order authorizing the entity to monitor the communications of a user suspected of unlawful activity, the trustees reveal to the entity the shares of the secret key of such user. This enables the entity to reconstruct the secret key and monitor the suspect user's communications.
ABSTRACT OF THE DISCLOSURE
A method, using a public-key cryptosystem, for enabling a predetermined entity to monitor communications of users suspected of unlawful activities while protecting the privacy of law-abiding users, wherein each user is assigned a pair of matching secret and public keys. According to the method, each user's secret key is broken into shares. Then, each user provides a plurality of "trustees" pieces of information. The pieces of information provided to each trustee enable that trustee to verify that such information includes a "share" of a secret key of some given public key. Each trustee can verify that the pieces of information provided include a share of the secret key without interaction with any other trustee or by sending messages to the user. Upon a predetermined request or condition, e.g., a court order authorizing the entity to monitor the communications of a user suspected of unlawful activity, the trustees reveal to the entity the shares of the secret key of such user. This enables the entity to reconstruct the secret key and monitor the suspect user's communications.
Description
ROo ~ I ~ 2~ 3 ' ~ a1/~7 ~3r r~R
. 39 ~gg~ ~ FAIR cR~lyrosysT~Ms AND METHODS OF USE
CHNICA~ FIELD
The present invention relates generally to cryptosystems and more particularly to methods for enabling a gi~en entity to monitor communications of users suspected of unlawful activities while protecting the privacy of law-abiding users.
BACRGROUND OF TH~ I~VE~TIO~
In a single-key cryptosystem a co~mon secret key is used both to encrypt and decrypt messages. Thus only two parties 1~ who have safely exchanged such a key beforehand can use these systems or private communication. Thi~ severely limits the applicability o single-key systems.
In a double-key cryptosystem, the process of encrypting and decrypting is instead governed by different ke7s. In ¦ essence, one comes up with a pair of matching encryption and decryption keys. What is encrypted using a given encryption key can only be decrypted u~ing the corresponding decryption key. Moreover, the encryption k~y does not "betray" its matching decryption key. 'rhat is, knowledge of the encryption Z0 key does not help to find out the value of the decryption key. The advantage of double-key systems is that they can allow two parties who have nev~r safely e$changed any key to privately communicate over an insecure communication line (i.e., one that may be tapped by an ad~ersary). They do this by executing an on-line, private communication protocol.
% ~ 3 , In p~rticular, Party A alerts Party B that he wants to talk to him privately. Party B then cornputes a pair of ~ matching encryption and decryption keys (EB, DB). B then ,~ sends A key EB. Party A now encrypts his message m, obtaining the ciphertext c = EB(m), and sends c to a over the insecure i_ channel. B decrypts the ciphertext by computin~ m = DB(c).
If an adversary eavesdrops all communication between A and B, he will then hear both B's encryption key, EB, and A's ciphertext, c. However, since the adversary does not know ~'s decryption key, DB~ he cannot compute m ~rom c.
The utility of the above protocol is still quite limited since it suffers from t~o drawbacks. First, for A to send a private message to B it is necessary also that B send a message to A, at least th~ first time. In some situations this is a real disadvantage. Moreover, A has no guarantee (since the line is insecure anyway~ that the received string D~ really is B's encryption key. Indeed, it may be a key sent by an adversary, who will then understand the subsequent, encrypted transmission.
An ordinary public-key cryptosystem ("PKC") solves both di~ficulties and greatly facilitates communication. Such a system es~entially consists of usinq a double-key system in conjunction with a proper key management center. Each user X
comes up with a pair of matchin~ encryption and decryption keys (E~, Dx) of a double-key system. He keeps DX for himself and gives EX to the key rnanagement center. The center is ~ 2 ~ 3 responsible for updating and publicizing a directory of correct public keys or each user, that is, a correct list of entries of the type (X, Ex). For instanc~, upon receiving the request rom X to have Ex as his public key, the center properly checks X~s identity, and (digitally) signs the pair (X, Ex), together with the current date if every encryption key has a limited validity. The center publicizes Ex by distributing the signed information to all users in the system. This way, without any interaction, users can send each other private messages via their public, encryption key that they can look up in the directory published by the center. The identity problem is also solved, since the center's signature o~ the pair (X, E~ guarantees that the pair has been distributed by the center, which has already checked X's identity.
The convenience of a PKC depends on the key management center. Because setting up such a center on a grand scale requires a great deal of effor~, the precise protocols to be followed must be properly chosen. Moreover, public-key cryptography has c~rtain disadvantag~s. A main disadvantage is that any such system can be abussd, for ex~mple, by terrorist~ and criminal organizations who can use their own PKC (without knowledge of the authorities~ and thus conduct their illegal business with great secrecy and yet with extreme convenience.
C~
. 39 ~gg~ ~ FAIR cR~lyrosysT~Ms AND METHODS OF USE
CHNICA~ FIELD
The present invention relates generally to cryptosystems and more particularly to methods for enabling a gi~en entity to monitor communications of users suspected of unlawful activities while protecting the privacy of law-abiding users.
BACRGROUND OF TH~ I~VE~TIO~
In a single-key cryptosystem a co~mon secret key is used both to encrypt and decrypt messages. Thus only two parties 1~ who have safely exchanged such a key beforehand can use these systems or private communication. Thi~ severely limits the applicability o single-key systems.
In a double-key cryptosystem, the process of encrypting and decrypting is instead governed by different ke7s. In ¦ essence, one comes up with a pair of matching encryption and decryption keys. What is encrypted using a given encryption key can only be decrypted u~ing the corresponding decryption key. Moreover, the encryption k~y does not "betray" its matching decryption key. 'rhat is, knowledge of the encryption Z0 key does not help to find out the value of the decryption key. The advantage of double-key systems is that they can allow two parties who have nev~r safely e$changed any key to privately communicate over an insecure communication line (i.e., one that may be tapped by an ad~ersary). They do this by executing an on-line, private communication protocol.
% ~ 3 , In p~rticular, Party A alerts Party B that he wants to talk to him privately. Party B then cornputes a pair of ~ matching encryption and decryption keys (EB, DB). B then ,~ sends A key EB. Party A now encrypts his message m, obtaining the ciphertext c = EB(m), and sends c to a over the insecure i_ channel. B decrypts the ciphertext by computin~ m = DB(c).
If an adversary eavesdrops all communication between A and B, he will then hear both B's encryption key, EB, and A's ciphertext, c. However, since the adversary does not know ~'s decryption key, DB~ he cannot compute m ~rom c.
The utility of the above protocol is still quite limited since it suffers from t~o drawbacks. First, for A to send a private message to B it is necessary also that B send a message to A, at least th~ first time. In some situations this is a real disadvantage. Moreover, A has no guarantee (since the line is insecure anyway~ that the received string D~ really is B's encryption key. Indeed, it may be a key sent by an adversary, who will then understand the subsequent, encrypted transmission.
An ordinary public-key cryptosystem ("PKC") solves both di~ficulties and greatly facilitates communication. Such a system es~entially consists of usinq a double-key system in conjunction with a proper key management center. Each user X
comes up with a pair of matchin~ encryption and decryption keys (E~, Dx) of a double-key system. He keeps DX for himself and gives EX to the key rnanagement center. The center is ~ 2 ~ 3 responsible for updating and publicizing a directory of correct public keys or each user, that is, a correct list of entries of the type (X, Ex). For instanc~, upon receiving the request rom X to have Ex as his public key, the center properly checks X~s identity, and (digitally) signs the pair (X, Ex), together with the current date if every encryption key has a limited validity. The center publicizes Ex by distributing the signed information to all users in the system. This way, without any interaction, users can send each other private messages via their public, encryption key that they can look up in the directory published by the center. The identity problem is also solved, since the center's signature o~ the pair (X, E~ guarantees that the pair has been distributed by the center, which has already checked X's identity.
The convenience of a PKC depends on the key management center. Because setting up such a center on a grand scale requires a great deal of effor~, the precise protocols to be followed must be properly chosen. Moreover, public-key cryptography has c~rtain disadvantag~s. A main disadvantage is that any such system can be abussd, for ex~mple, by terrorist~ and criminal organizations who can use their own PKC (without knowledge of the authorities~ and thus conduct their illegal business with great secrecy and yet with extreme convenience.
C~
2 1 1 8 L~ 3 ~~ .
.t h~ould therefore be desirable to prevent any abuse of a public key cryptosystem while maintaining all of its lawful advantages.
- BRIEF SUMMA~Y OF THE INVENTI013 It is an object of th0 present invention to provide -methods for enabling a given entity, such as the government, to monitor communications of users su~pected of unlaw~ul activities while at the same time protecting the privacy of law-abiding users.
It is a further object of the invention to provide such methods using either public or private key cryptosystems.
It is a still further object of the invention to provide so-called "fair" cryptosystems wherein an entity can monitor communications of suspect users only upon predetermined lS occurrences, e.g., the obtaining of a court order.
It is another object to describe methods of constructing fair cryptosystems for use in such communicatiorls t~chnigues.
In one embodiment, these and other objects of the invention are pzovided in a method, using a public-key cryptosystem, for enabling a predetermined enti~y to monitor communications of users suspected of unlawful activities while protecting the privacy of law-abiding users~ wherein each user is assigned a pair of matching secret and public keys.
According to the method, each user~s secret key is broken into shares. Then, each user provides a plurality of "trustees"
pieces of information. The pieces oE inEormation provided to each trustee enable that trustee to verify that such information includes a "share" o~ a secret key of some given public key. Further, each trustee can verify that the pieces of information provided include a share of the secret key without interaction with any other trustee or by sending messages to the user. Upon a predeterrnined request or condition, e.g., a court order authorizing the entity to monitor the communications of a user suspected of unlaw~ul activity, the trustees reveal to the entity the shares of the secret key of such user to enable the entity to reconstruct the secret key and monitor the suspect user's cornrnunications.
The method can be carried out whether or not the identity of the suspect user is known to the trustees, and even if less than all of the shares of the suspect usex's secret key are required to be revealed in order to reconstruct the secret key. The method is robust enough to be effective if a given minority of trustees have been compromised and cannot be trusted to cooperate with the entity. In addition, the suspect user's activities are characterized as unlawful if the entity, after recon~tructing or having tried to reconstruct the secret key, is still unable to rnonitor the suspect user's cornrnunications.
According to another more generalized aspect of the invention, a method is described for using a public-key cryptosystem for enabling a predetermined entity to monitor cornmunications of users suspected of unlawful activities while protecting the privacy o~ law-abiding users. The method comprises the step of "verifiably secret sharing" each user's secret key with a plurality of trustees so that each trustee ' car. verify that the share received is part of a secret key of some public key.
The foregoing has outlined some of the more pertirlent objects of the present invention. These objects should be construed to be merely illustrative of some of the more prorninent features and applications o the invention. Many other beneficial results can be attained hy applying the disclosed invention in a different manner or modifying the invention as will be described. Accordingly, other objects and a fuller understanding of the invention may be had by referring to the following Detailed Description of the preferred em~odimerlt.
BRI~ DE5CRIPl'IO~ OP TH~ D~A~INGS
For a more complete understanding of the present invention and the advantages thereof, ref rence should be made to the following De~ailed Description taken in connection with the accompanying drawings in which:
FIGURE 1 is a simplified diagram of a communications system over which a government entity desires to monitor communications of user~ suspected of unlawful activities;
FI~URE 2 is a block diagram of a preferred hierarchy of 2S entities that may use the methods of the present invention to monitor communications of users suspected of unlawful activities.
2~8~3 .
DETAILED ~E5CRIPTIO~
FIGURE 1 represents a simple communications system 10 comprising a telephone network connected between a calling station 12 and a called station 14. One or more local central offices or teleyhone switches 16 connect telephone signals over the network in a well-known fashion. Referring now also to FIGURE 2, assume that a government entity, such as local law enforcement agency 18, desires to monitor communications to and/or from calling station 12 because the user of such calling station is suspected of unlawful activity. Assume further that the user of the calling station 12 communicates using a PKC. Following accepted legal practices, the agency 18 obtains a court order from court 20 to privately monitor the line 15. According to the present invention, the agency's is able to monitor the line 15 while at the same time the privacy rights of other law-abiding users of the network are maintalned. This is accomplished as will be described by requiring that each user "secret share" the user's secret key (of the PKC) with a plurality o~ trustees 22a...22n.
According to the invention, a ~'fair" PKC is a special type of public-key cryptosystem. Every user can still choose his own keys and keep secret his privat0 one; nonetheless, a special agreed-upon party (e.g., the government), and solely this party, under the proper circumstances envisaged by the law ~e.g., a court order), and solely under these circumstances, is authorized to monitor all messages sent to a ~ 7 -.. . ~ ~ .
, ~ ~, ..
2 ~ C~ ~
specific user. A ~air PKC improves the security of the , ~ ~
existing communieation systems (e.g., the telephone service ~
10) while remaining within the constraints of accepted legal ~ -procedures.
In one embodiment, fair PKC~s are constructed in the following general way, Referring now to FIGURES 1-2, it is assumed that there are five (5) trustees 22a...22e and that the government desires, upon receiving a court order, to monitor the telephone communications to or rom the calling station 12. Although the above description is speci~ic, it should ~e appreciated that users of the communications system and trustees may be people or computing devices. It is preferable that the trustees are chosen to be trustworthy.
For instance, they may be judges (or computers controlled by chem), or computers specially set up for this purpose. The trustees, together with the individual users, play a crucial role in deciding which encryption keys will be published in the system.
Each user independently chooses his own public and secret keys according to a given double-key system (for instance, the public key consists of the product of two primes, and the secret key one of these two primes). Since the user has chosen both of his keys, he can be sure o their "qualit~' and of the privacy of his decryption key. He then breaks his secret decryption key into five special "pieces" ~i.e., he 2 ~ 3 computes from his decryption key 5 special strings/numbers) `~
possessing the following properties:
(1) The private key can be reconstructed given knowledge o~ all five, special pieces;
(2) The private key cannot be guessed at all if one only 5 - knows (any) 4, or less, of the special pieces;
.t h~ould therefore be desirable to prevent any abuse of a public key cryptosystem while maintaining all of its lawful advantages.
- BRIEF SUMMA~Y OF THE INVENTI013 It is an object of th0 present invention to provide -methods for enabling a given entity, such as the government, to monitor communications of users su~pected of unlaw~ul activities while at the same time protecting the privacy of law-abiding users.
It is a further object of the invention to provide such methods using either public or private key cryptosystems.
It is a still further object of the invention to provide so-called "fair" cryptosystems wherein an entity can monitor communications of suspect users only upon predetermined lS occurrences, e.g., the obtaining of a court order.
It is another object to describe methods of constructing fair cryptosystems for use in such communicatiorls t~chnigues.
In one embodiment, these and other objects of the invention are pzovided in a method, using a public-key cryptosystem, for enabling a predetermined enti~y to monitor communications of users suspected of unlawful activities while protecting the privacy of law-abiding users~ wherein each user is assigned a pair of matching secret and public keys.
According to the method, each user~s secret key is broken into shares. Then, each user provides a plurality of "trustees"
pieces of information. The pieces oE inEormation provided to each trustee enable that trustee to verify that such information includes a "share" o~ a secret key of some given public key. Further, each trustee can verify that the pieces of information provided include a share of the secret key without interaction with any other trustee or by sending messages to the user. Upon a predeterrnined request or condition, e.g., a court order authorizing the entity to monitor the communications of a user suspected of unlaw~ul activity, the trustees reveal to the entity the shares of the secret key of such user to enable the entity to reconstruct the secret key and monitor the suspect user's cornrnunications.
The method can be carried out whether or not the identity of the suspect user is known to the trustees, and even if less than all of the shares of the suspect usex's secret key are required to be revealed in order to reconstruct the secret key. The method is robust enough to be effective if a given minority of trustees have been compromised and cannot be trusted to cooperate with the entity. In addition, the suspect user's activities are characterized as unlawful if the entity, after recon~tructing or having tried to reconstruct the secret key, is still unable to rnonitor the suspect user's cornrnunications.
According to another more generalized aspect of the invention, a method is described for using a public-key cryptosystem for enabling a predetermined entity to monitor cornmunications of users suspected of unlawful activities while protecting the privacy o~ law-abiding users. The method comprises the step of "verifiably secret sharing" each user's secret key with a plurality of trustees so that each trustee ' car. verify that the share received is part of a secret key of some public key.
The foregoing has outlined some of the more pertirlent objects of the present invention. These objects should be construed to be merely illustrative of some of the more prorninent features and applications o the invention. Many other beneficial results can be attained hy applying the disclosed invention in a different manner or modifying the invention as will be described. Accordingly, other objects and a fuller understanding of the invention may be had by referring to the following Detailed Description of the preferred em~odimerlt.
BRI~ DE5CRIPl'IO~ OP TH~ D~A~INGS
For a more complete understanding of the present invention and the advantages thereof, ref rence should be made to the following De~ailed Description taken in connection with the accompanying drawings in which:
FIGURE 1 is a simplified diagram of a communications system over which a government entity desires to monitor communications of user~ suspected of unlawful activities;
FI~URE 2 is a block diagram of a preferred hierarchy of 2S entities that may use the methods of the present invention to monitor communications of users suspected of unlawful activities.
2~8~3 .
DETAILED ~E5CRIPTIO~
FIGURE 1 represents a simple communications system 10 comprising a telephone network connected between a calling station 12 and a called station 14. One or more local central offices or teleyhone switches 16 connect telephone signals over the network in a well-known fashion. Referring now also to FIGURE 2, assume that a government entity, such as local law enforcement agency 18, desires to monitor communications to and/or from calling station 12 because the user of such calling station is suspected of unlawful activity. Assume further that the user of the calling station 12 communicates using a PKC. Following accepted legal practices, the agency 18 obtains a court order from court 20 to privately monitor the line 15. According to the present invention, the agency's is able to monitor the line 15 while at the same time the privacy rights of other law-abiding users of the network are maintalned. This is accomplished as will be described by requiring that each user "secret share" the user's secret key (of the PKC) with a plurality o~ trustees 22a...22n.
According to the invention, a ~'fair" PKC is a special type of public-key cryptosystem. Every user can still choose his own keys and keep secret his privat0 one; nonetheless, a special agreed-upon party (e.g., the government), and solely this party, under the proper circumstances envisaged by the law ~e.g., a court order), and solely under these circumstances, is authorized to monitor all messages sent to a ~ 7 -.. . ~ ~ .
, ~ ~, ..
2 ~ C~ ~
specific user. A ~air PKC improves the security of the , ~ ~
existing communieation systems (e.g., the telephone service ~
10) while remaining within the constraints of accepted legal ~ -procedures.
In one embodiment, fair PKC~s are constructed in the following general way, Referring now to FIGURES 1-2, it is assumed that there are five (5) trustees 22a...22e and that the government desires, upon receiving a court order, to monitor the telephone communications to or rom the calling station 12. Although the above description is speci~ic, it should ~e appreciated that users of the communications system and trustees may be people or computing devices. It is preferable that the trustees are chosen to be trustworthy.
For instance, they may be judges (or computers controlled by chem), or computers specially set up for this purpose. The trustees, together with the individual users, play a crucial role in deciding which encryption keys will be published in the system.
Each user independently chooses his own public and secret keys according to a given double-key system (for instance, the public key consists of the product of two primes, and the secret key one of these two primes). Since the user has chosen both of his keys, he can be sure o their "qualit~' and of the privacy of his decryption key. He then breaks his secret decryption key into five special "pieces" ~i.e., he 2 ~ 3 computes from his decryption key 5 special strings/numbers) `~
possessing the following properties:
(1) The private key can be reconstructed given knowledge o~ all five, special pieces;
(2) The private key cannot be guessed at all if one only 5 - knows (any) 4, or less, of the special pieces;
(3) For i-l,. . . . 5, the i-th special piece can be individually verified to be correct.
Given all 5 special pieces or "shares", one can veriy that they are correct by checki~g that they indeed yield the private decryption key. According to one feature of the invention, property (3) insures that each special piece can be ~, verified to be correct (i.e., that together with the other 4 special pieces it yields the private key) individually, i.e., without knowing the secret key at all an~ without knowing the -~
value of any of the other special pieces.
The user then privately (e.g., in encrypted forrn) gives trustee 22i his own public key and the i-th piece of its associated secret key. Each trustee 22 individually inspects his received piece, and, if it is correct, approves the public key (e.g. signs it) and saf~ly stores the piece relative to it. These approvals ar~ given to a key management center 24, either directly by the trustees, or (possibly in a single ~
message) by the individual user who collects them from the ~ ~ -trustees. The center 24, which may or may not coincide with the government, itsel approves (e.g., signs) any public key that is approved by all trustees. These center-approved keys ~ ~;
l , _9- ~
~ : :
r~ 3~
are the public keys of the fair PKC and they are distribu~ed and used ~or private communication as in an ordinary PKC.
Because the special pieces of each decryption key are privately given to the trustees, an adversary w~o taps the communication line of two users possesses the same information as in the underlying, ordinary PKC. Thus if the underlying PKC is secure, so is the fair PKC. Moreover, even if the adversary were one of the trustees himself, or even a cooperating collection of any four out of ~ive of .he trustees, property (2) insures that the adversary would still have the same information as in the ordinary PKC. Because the possibility that an adversary corrupts five out of five judges is absolutely remote, the security of the resulting fair PKC
is the same as in the underlying PKC.
When presented with a court order, for example, the~
truste~s 22 reveal to the government 20 the pieces of 3 given decryption key in their possession. According to the invention, the trustees may or may not be aware of the identity of the user who possesses the given decryption key.
This provides additional security against ~'compromised"
trustees who might otherwise tip off the suspec~ user once a re~uest for tha~ user's decryption key share is received by the tru~tee.
Upon receiving the shares, the government reconstructs 251~ the given decryption key. By property (3)~ each trustee previously verified whether he was given a correct special l n 3 piece of a given decryption key. Moreover, every public key was authorized by the key management center 24 only if it was approved by all trustees 22. Thus, the government is guaranteed that, in case of a court order, it will be given 5 all special pieces of any decryption key. By property (1), this is a guarantee that the gGvernment will be able to reconstruct any given decryption key if necessary to monitor communications over the network.
Several types of fair PKC's are now described in more lO detail.
Diffie ~nd Hellman's PK~
The Diffie and Hellman public-key cryptosystem is known and is readily transformed into a fair PKC by the present invention. In the Dif~ie and H011man scheme, each pair of 15 users X and Y succe~ds, without any interaction, in agreeing upon a common, secre~ key Sx~ to be used as a conventional ~-~
single-key cryptosystem. In the ordinary Diffie-Hellrnan PKC, there are a prime p and a generator ~or high-order element) g t common to all users. User X secretly selects a random integer ~-~n Sx in the interval [1, p-l] as his private key and publicly announces the integer p~ , gSx mod p as his public key.
Another user, Y, will similarly sel~ct Sy as his private key and announc~ py ~ gSY mod p as his public key. The value of t~liS key is determined as sxy ~ gS~Sy mod p. User X computes 25 Sxy by raising Y's public key to his private key mod pX, and _~ .
C ~
2~8~9~ :
us~r Y by raising X~s public key to his secret key mod p. In fact: ;
( g X ) Sy = g SxSy = Sxy D 9 Sys2 = ( 9 S~ ) S X mo~ P
While it is easy, given 9, p and x, to compute y _ gx mod p, no efficient algorithm is known for computing, given y and p, x such that gx _ y mod p when g has high enough order. This is the discrete logarithm problem. This problem has been used as the basis o~ security in many cryptosystems. The Diffie and Hellman's PKC is transformed into a air one in the following manner.
Each user X randomly chooses 5 integers Sxl, . . . Sx5 in the interval [1, p-l] and lets Sx be their sum mod p. It should be understood that all following operations are modulo p. User X then computes the numbers:
tl , 9Sxl , . , , t5~9sxs and Px ~ gSx~
Px will be User X's public key and Sx his private key. The ti's will be referred to as the public pieces of Px, and the Sxi's as the private pieces. It should be noted that the product of the public pieces equals the public key P2. In fact:
. ' ' . ~' t 8 ~
- tl ................ ts = gSxl ... gSx5 = g(S~ Sxs) = gSx -:
Let Tl,. . . T5 be the five trustees. User X now gl~es Px, the public pieces and Sxl t~ trustee Tl, Px, the public pieces and Sx2 to trustee T2, and so on. Piece Sxi is privately given to trustee Ti. Upon receiving public and private pieces ti and Sxi, trustee Ti verifies whether gS~l , Ti. If so, the ~:
trustee stores the pair (Px, Sxi), signs the sequence ;
(Px,tl,t2,t3,t4,t5) and gives the signed sequence to the key lO management center 24 (or to user ~, who will then give all of:~
the signed public pieces at once to the key management center). Upon receiving all the signed sequences relative to a given public key Px, the key management center verifies that these sequences contain the same subsequence of public pieces tl...t5 and that the product of the public pieces indeed equals Px. If so, center 24 approves Px as a public key and distributes it as in the original scheme (e.g., signs it and gives it to user X). The encryption and decryption instructions for any pair of users X and Y are e~actly as in tlle Di~fie and Hellman scheme (i.e., with co~mon, secret key Sxy) .
This way of proceeding matches the previously-described way of constructing a fair PKC. A still fair version of the Diffie-Hellman scheme can be obtained in a simpler manner ~y 25 having the user give to each trustee Ti just the puhlic piece:~
ti and its corresponding private piece Sxi, and have the user , 2118~3 give the key management center the public key Px. The center will approve Px only if it receives all public pieces, signed by the proper trustee, and the product of these public pieces equals Px. In this way, trustee Ti can verify that Sxi is the discrete logarithm of public piece ti. Such trustee cannot quite verify that Sxi is a legitimate share of Px since the trustee has not seen Px or the other public pieces.
Nonetheless, the result is a fair PKC based on the Diffie-Hellman scheme because properties (1)-(3) described above are still satisfied.
Either one of the above-d~scribed fair PKC has the same degree of privacy of communication offered by the underlying Diffie-Hellman scheme. In fact, the validation of a public key does not compromise the corresponding private key. Each trustee Ti receives, as a special piece, the discrete logarithm, S$i~ of a random number, ti. This information is clearly irrelevant fr computing the discrete logarithm of Px.
The same is actually true for any 4 of the trustees taken together, since any four special pieces are independent of the private decryption key Sx. Also ~he key management center does not poss2ss any information relevant to the private key;
i.e., the discrete logarithm of Px. All the center has are the public pieces respectively signed by the trustees. The public pieces simply are 5 random numbers whose product is Px. This type of information is irrelevant for computing the discrete loqarithm of Px; in fact, any one could choose four :
~r. .
~``
integers at random and setting the fifth to be Px divided by the product o~ the first four. T~le result would be integral because division is modulo p. As for a trustee's signature, this just represents the promise that someone else has a secret piece.
Even the information in the hands of the center together with any four of the trustees is irrelevant for computing the private key Sx. Thus, not only is the user guaranteed that the validation procedure will not betray his private key, but he also knows that this procedure has been properly followed because it is he himself that computes his own keys and the pieces of his private one.
Second, if the key management center ~alidates the public key P~, then its private key is guararlteed to he reconstructable by the government in case of a court order.
In fact, the center receives all 5 public pieceis of Px, each signed by the proper trustee. These signatures testify that trustee Ti possesses the discrete logarithm of public piece ti. Since the center verifies that the product of the publio pieces equals P~, it also knows that the sum of the secret pieces in storage with the trustees equals the discrete logarithm of Px; i.e, user X's private key. Thus the center knows that, if a court order were issued requesting the private key of X, the government is guaranteed to obtain the needed private key by sunming the values received by the trustees.
RSA Fair PKC:
The followillg describes a fair PKC based on the known RSA
function. In the ordinary RSA PKC, the public key con~ists of an integer N product of two primes and cne expo~ent e (relatively prime with f(N), where F is Euler's quotient fun~tion). No matter what the exponent, the private key may always be chosen to be N's factorization. By way of brief ~ackgrourld, the RSA scheme has certain characteristics that derive from aspects of number theory:
Fact 1. Let ZN d~note the multiplicative group of the integers between 1 and N and relatively prime with N. If N is the product of two primes N~pq (or two prime powers: N~papb~, then 5 (1) a number s in ZN i5 a square mod N if and only if it has four distinct square-roots mod N: x, -x mod N, y, and -y mod N (i.e., ~2 ~ y2 = s mod N). Moreover, from th~
greatest common divisor of + -~ + -y and N, one easily computes the factorization of N. Also;
~2) one in four of the numbers in ZN is a square mod N.
~ Fact 2. Among the integers in ZN is defined a function, _ ;l the Jacobi symbol, that evaluates easily to either 1 or ~
2S The Jacobi symbol of x is denoted by ~s/N3. The Jacobi symbol is multiplicative; i.e., (x~N)(Y/N) ~ ~xy~N). If N is the ~:
, ~'..
product of two prilnes N-pq (or two prime powers: N~papb), ~he p and 1 are congruent to 3 mod 4. Then, if + -x and ~ -y are the four square roots of a square mod N (s/N)=(-x/N)=+l and (y/N) - (-y/N) =-1. Thus, because of Fact 1, if one is given a Jacobi symbol 1 root and a Jacobi symbol 1 root of any square, he can easily factor N.
With this background, the following describes how the RSA
cryptosystern can be made fair in a simple way. For simplici~y again assume there are five trustees and that all of them must colla~orate to reconstruct a secret key, while no four of them can even predict it. The RSA cryptosystem is easily converted illto a fair PKC by efficiently sharing with the trustee's N's Eactorization. In particular, the trustees are privately provided information that, perhaps together with other given common information, enables one to reconstrust two (or more) square roots x and y (~ different from ~y mod N3 of a cornmon square mod N. The given common information may be the -1 Jaco~i symbol root o X~, which is equal to y.
A user chooses P and Q primes congruent to 3 mod 4, as his private key and ~ ~ PQ as his public key. Then he chooses 5 Jacobi 1 i~tegers Xl, X2~ X3, X~ and X5 (preferably at random) in ZN~ and computes their product, X, and Xi2 ntod N
~or all i - 1, . . . ,5. The product of the last 5 squares, Z, is itsel a square. One square root of Z mod N is X, 25 which has Jacobi symbol equal to 1 (since the Jacobi symbol is ~ `~
multiplicative). The user computes Y, one of the Jacobi -1 .
2 ~ L~ 9 ~
roots mod N; Xl, . . . X5 will be the public piec2s of public key N and the ~i s the private pieces. The user gives trustee Ti private piece Xi (and possibly the corresponding public piece, all other public pieces and Px, depending on whether it S is desired that the verification of the shares so as to satisfy properties (1~-(3) is performed by both trustees and the center, or the trustees alone). Trustee Ti squares Xi mod N, gives the key management center his signature of Xi2, and stores Xi.
10 The center first checks that (~l/N),l, i.e~, for all x: ~-(x~N) ~ (-x/N). This is partial evi~ence that N is of the right form. Upon receiving the valid signature of the public pieces o~ N and the Jacobi -1 value Y from the user, the ce~ter ch~cks whether mod N the square of Y equals the product of the five public piecesO If so, it checks, possibly with the help of the user, that N is the product of two prime .
powers. If so, the center approves N.
The reasoning behind the scheme is as follows. The -trustees' signatures of the Xi2~s (mod N~ guarantee the center that every trustee Ti has stored a Jacobi symbol 1 root of Xi2 mod N. Thus, in case of a court order, all these Jacobi symbol 1 roots can be retrieve~. Their product, mod N, will also have Jaco~i symbol 1, slnce this function is multiplicative, and will be a root of x2 mod N. ~ut since the center has veriied that y2 ~ x2 mod N, one would have tWG
roots X and Y of a common square mod N. Moreover, Y is .
'~1 1,8ll93 diferent ~rom X since it has different Jacobi symbol, and ~ -is also different from -x, since (-x/N) ~ (s/N) because (a) (-l/N) has been checked to be 1 and (b) the Jacobi symbol is multiplicative. Possession of such square roots, by Facts 1 and 2, is equivalent to having the factorization of N, provided that N is product of at most two prime powers. This last property has also been checked by the center before it has approved N.
Verification that N is the product of at most two prime powers can be performed in various ways. For instance, the center and user can engage in a zero-knowledge proof of this fact. Alternatively, the user may provide the center with the square root mod N for roughly 1/4 of the integers in a prescribed and random enough sequence o~ integers. For instance, such a sequence could be determined by one-way hashing N to a short seed and then expanding it into a longer : :
sequence using a psuedo-random generator. If a dishonest user has chosen his N to be the product of three or rnore prime powers, then it would be foolish for him to hope that roughly 1/4 of t~e integers in the seqllence are squares mod N. In fact, for his choice of N, at most 1/8 of the intec3ers have square roots mod N.
Variations The above schemes can be modified in many ways. For instance, the proof that N is product of two prime powers can be done by the trustees (in collaboration with the user), who ..
~ 3 then inform the center of their findings. Also, the scheme can be modified so that the cooperation of the majority of the trustees is sufficient for reconstructing the secret key, while any minority cannot gain any information about the secret key. Also, as with all fair cryptosystems, one can arrange that when the government asks a trustee for his piece of the secret key of a user, the trustee does not learn about the identity of th~ user. The variations are discussed in more detail below.
In particular, the schemes described above are robust in ~ ~
the sense that some trustees, accidentally or maliciously, may ~ ~-reveal the shares in their posses~ion without compromising the security of the system. However, these schemes r~ly on the Eact that the trustees will colla~orate during the reconstruction stage. In fact, it was insisted that all of the shares should be needed Eor recovering a secret k~y. This requirement may he disadvantageous, eithex becausa some trustees may reveal to be untrustworthy and refuse to give the government the key in their possession, or because, despite all file backups, the trustee may haYe genuinely lost the information in its possession. Whatever the reason, in this circumstance the reconstruction of a secret key will be prev~nted. This problem is also solved by the present invention.
By way of background, "secret sharing" (with parameters n,T,t) ~s a prior cryptographic scheme consisting of two .. ' .' ~:
_ 20 ~
~ , ',:
r~
phases: in-phase one a secret value chosen by a distinguished person, the dealer, is put in safe storage with n people or computers, the trustees, by giving each one of them a piece o information. In phase two, when the trustees pool together the informakion in their possession, the secret is recovered.
Secret sharing has a rnajor disadvantage -- it presupposes that the dealer gi~es the trustees correct shares (pieces of information) about his secret value. "Verifiable Secret Sharing" (VSS) solves this "honesty" problem. In a VSS
scheme, each trustee can verify that the share gi~en to him is genuine without knowing at all the shares of other trustees of the secret itself. Specifically, the trustee can verify that, i T verified shares are revealed, the original secret will be recons~rl1cted, no matter what the dealer or dishonest trustees might do.
The a~ove-described fair PKC schemes are based on a properly structured, non-interactive verifiable secret sharing ; scheme with parameters n-5, T~5 and ~,4. According to the present invention, it may be desira~le to have different values of these parameters, e.g., n~5, TD3 and t~2. In such case, any majority of the trustees can recover a secret key, whi le no minority of trust~es can predict it all. This is achieved as follows ~and be simply generalized to any desired values of n, T and t in which T?t).
2~
~.
~, :
Su~s~ L~l~e Diffie-Hellman Scheme~
After choosing a secret key Sx in [1, p-1], user X
computes his public key Px , gSx mod p (with all computations below being mod p). User X now considers all triplets of numbers ~etween 1 and 5: (1,2,3), (Z,3,4) etc. For each triplet (a,b,c), user X randomly chooses three integers Slabc, ..., S3abc in the interval [1, p-l] so that their surn mod p equals Sx. Then he computes the numbers:
_ lO:l tlabc = gSlabC~ t2abc = gS2abc, t3abc39S3abc The tiabc's will be referred to as public pieces of Px, and the Siabc's as private pieces. ~gain, the product of the public pieces eq~als the public key Px. In fact, s tlabc t2abc t3abc ., 9slabc.gs2abc.gs3ab , g (Slabc+ .~.S3abc), gSx, Px User X then gives trustee ~a tla~c and Slabc, trustee Tb t2abc and SZabc, and trustee Tc t3abc and S3abc, always specifying the triplet in question. Upon receiving these quantities, trustee Ta ~all other trustees do something similar3 verifies th t tlabc ~ gSlabc~ signs the value (Px, tlabc, (a,b,c)) and gives the signature to the management center.
2S The key manageMent center, for each triple (a~b,c), retrieves the values tlabc, ~2abc and t3abc from the signed - 2 ~ 9 3 ~ ;
information received from trustees, Ta, Tb and Tc. I the product of these three values equals Px and the signatures are valid, the center approves P~ as a public key.
The reason the scheme works, assuming that at most 2 trustees are untrustworthy, is that all secret pieces of a triple are needed for computing (or predicting~ a secret key.
Thus no secret key in the system can be retrieved by any 2 trustees. On the other hand, after a court order at least three trustees reveal all the secret pieces in their possession about a given public key. The governm2nt then has all the necessary secret pieces for at least one triple, and thus can compute easily the desired secret kèy.
Alternatively, each trustee is replaced by a group of new trustees. For instance, instead of a single trustee Ta, there may be three trustees: Tal, Ta2 and Ta3. Each of these trustees will receive and check the same share o~ trustee Ta.
In Lhis way it is very unlikely that all three trustees will refuse to surrender ~heir copy of the first share.
After having insured that a few potentially malicious -trustees cannot prevent reconstruction of the key, there are still further security issues to address, namely~ a trust~e --requested by a court order to surrender his share of a given secret key -- may alert the owner of that key that his co~nunications are about to be monitored. This problem i5 also solved by the invention. A simple solution arises if the cryptosystem used b~ the trustees possess certain algebraic 8 ~ ~ 3 -properties; This is illustrated for the Diffie-Hell~an case, though the same result occurs for the RSA scheme. In the following discussion, for simplicity it is assumed that all trustees collaborate in t~e reconstruction of the secret key.
Qblivious an~ Fair Diffie-Hellman Scheme:
Assume that all trustees use deterministic RSA for receiving private messages. Thus, let Ni be the public RSA
modulus o trustee Ti and ei his encryption exporlent (i.e., to send Ti a message m in encrypted form, one would send mei mod Ni).
User U prepares his public and secret key, respectively Px and Sx ~thus Px ~ gS~ mod p), as well as his public and secret pieces of the secret key, respectively ti and Sxi's il (thus Px , tl, t2 ... t5 mod p and ti ~ gSxi mod p ror all i). Then, the user gives to the key management center Px, all ot the ti's and the n values Ui , (Sxi)3 mod Ni; i.e., he encrypts the i-th share with the public key of trustee Ti.
Since '~he center does not know the factorization of ~he Ni's, this is not useful information to predict Sx, nor can the center veri~y that the decryption of the n ciphertexts are proper shares of S~. For this, the center will seek the cooperation of the n trustees, but without informing them of the identity of the user as will be described.
The center stores the values tj's and Uj's relative to user U and then forwards Ui and ti to trustee Ti. If every . . ' . .
::
~ 24 - ~
:::
,.,",;~ ,.. "~,.,~,.. ,.;,,,,,,",................. .... ..
2 ~ 9 ~ :
,~`
trustee Ti verified that the decryption of Ui is a proper private piece relative to ti, the center approves Px.
Assume now that the iudicial authority decides to monitor user U's communications. To lawfully reconstruct secret key Sx without leaking to a trustee the identity of the suspecte~
user U, a judge (or another authorized representative) randomly selects a number Ri mod Ni and computes yi , Ri ei mod Ni. Then, he sends trustee Ti the value zi ~ Ui-yi mod Ni, asking with a court order to compute and send back wi, the ei-th root of zi mod Ni. Since zi is a random number mod Ni, no matter what the value o Ui is, trustee Ti cannot guess the identity of the user U in question. Moreover, since zi is the product of Ui and yi mod Ni, the ei-th root of zi is the product mod Ni of the ei-th root of Ui (i.e., Sxi) and the ei-th root of yi (i.e., Ri). Thus, upon receiving wi, the judge divides it by yi mod Ni, thereby computing the desired Sxi. The product of these S~i's equals the desired Sx.
Further variation~:
In other variations of the invention, in case of a COUlt order, the government is only authorized to understand the messages concerning a given user for a limited amount of time. The collective approval of all trustees may stand for the government approval. Also, trustees need not store their piece of the private key. The encryption of this piece -- in the trustee's public key and signed by the trustee -- can be made part of the user's pnblic key. In this way, the pu~lic . ' ..
key carries the proof of its own allthenticity and verification. In t~e latter case it may be advantageous to break the trustee~s private keys into pieces.
If the user is an electronic device, such as an integrated circuit chip, the basic process of key selection and public-key validation can be done before the device leaves the factory. In this case, it may be advantageous that a "copy" of the trustee can be maintained within the factory.
copy of a trustee is a physically secure chip -- one whose - 10 data cannot be read -- containing a copy of the trustee's decryption key. The trustee (i.e., the party capable of giving the piece of a private key under a court order) need not necessarily coincide with this device. ;~
In another variation, it may be arranged that the trustees each a have piece of the government private key, and ~ that each user's private key is encrypted with the public key ~:
o~ the government.
While the use of a fair PKC in a telecommunications network (and under the authority of the government) has been described, such description is not meant to be taken by way of limitation. A fair P~C can be used in private organizations ~ ~-as well. For e~ample, in a large organiz~tion where there is a need for privacy, assume there is an established "superior"
but not all employees can be trusted since there are too many of them. The need for privacy requires the use of encryption. Because not all employees can be trusted, using a ~ 8 ~ ~ 3 single encryption key for the whole company is unacceptable, as is using a number of single-key cryptosystems (since this would generate enormous key-distribution problems). Having each employee use his own double-key system is also dangerous, since ~le or she might conspire against the company with great secrecy, impunity and convenience.
In such application of a fair PKC, numerous advantages are obtained. First, each employee is in charge of choosing his own keys. While enjoying the advantages of a more distributed procedure, the organization retains absolute control because the superior is guaranteed to be able to decrypt every employee's communications when necessary. There is no need to change keys when the superior changes because the trustees need not be changed. The trustees' storage places need less surveillance, since only compromising all of them will give an adversary any advantage.
For making fair a private key cryptosystem, but also or a PKC, it i5 desirable that each trustee first deposits an encrypted version or otherwise committed version of tliS share, so that, whe~ he is asked to reveal what his share was, he cannot change his mind about its value. Also, it is desirable that the user gives his shares to the trustees signed; such signatures can be relative to a different public key (if they are diqital signatures) or to the same new public key if the new key can be used for signing ~s well. In this way, the share revealed by the trustee clearly proves that it way 2 ~ 3 originated; ~etter still, the user may sign (with the trustee's key) the encryption of the share given to a trustee, and the signature can be revealed together with the~share.
This approach insures that one can both be certain that what was revealed was a share approved by the user and also that the trustees and the user cannot collaborate later on in changing its value.
It should be appreciated by those skilled in the art that the specific embodiments disclosed above may be readily utilized as a basis or modifying or designing other techniques and processes for carrying out the same purposes of the present invention. It should also be realized by those skilled in the art that such equivalent constructions do not depart from the spirit and scope of the invention as set forth in the appended claims.
Given all 5 special pieces or "shares", one can veriy that they are correct by checki~g that they indeed yield the private decryption key. According to one feature of the invention, property (3) insures that each special piece can be ~, verified to be correct (i.e., that together with the other 4 special pieces it yields the private key) individually, i.e., without knowing the secret key at all an~ without knowing the -~
value of any of the other special pieces.
The user then privately (e.g., in encrypted forrn) gives trustee 22i his own public key and the i-th piece of its associated secret key. Each trustee 22 individually inspects his received piece, and, if it is correct, approves the public key (e.g. signs it) and saf~ly stores the piece relative to it. These approvals ar~ given to a key management center 24, either directly by the trustees, or (possibly in a single ~
message) by the individual user who collects them from the ~ ~ -trustees. The center 24, which may or may not coincide with the government, itsel approves (e.g., signs) any public key that is approved by all trustees. These center-approved keys ~ ~;
l , _9- ~
~ : :
r~ 3~
are the public keys of the fair PKC and they are distribu~ed and used ~or private communication as in an ordinary PKC.
Because the special pieces of each decryption key are privately given to the trustees, an adversary w~o taps the communication line of two users possesses the same information as in the underlying, ordinary PKC. Thus if the underlying PKC is secure, so is the fair PKC. Moreover, even if the adversary were one of the trustees himself, or even a cooperating collection of any four out of ~ive of .he trustees, property (2) insures that the adversary would still have the same information as in the ordinary PKC. Because the possibility that an adversary corrupts five out of five judges is absolutely remote, the security of the resulting fair PKC
is the same as in the underlying PKC.
When presented with a court order, for example, the~
truste~s 22 reveal to the government 20 the pieces of 3 given decryption key in their possession. According to the invention, the trustees may or may not be aware of the identity of the user who possesses the given decryption key.
This provides additional security against ~'compromised"
trustees who might otherwise tip off the suspec~ user once a re~uest for tha~ user's decryption key share is received by the tru~tee.
Upon receiving the shares, the government reconstructs 251~ the given decryption key. By property (3)~ each trustee previously verified whether he was given a correct special l n 3 piece of a given decryption key. Moreover, every public key was authorized by the key management center 24 only if it was approved by all trustees 22. Thus, the government is guaranteed that, in case of a court order, it will be given 5 all special pieces of any decryption key. By property (1), this is a guarantee that the gGvernment will be able to reconstruct any given decryption key if necessary to monitor communications over the network.
Several types of fair PKC's are now described in more lO detail.
Diffie ~nd Hellman's PK~
The Diffie and Hellman public-key cryptosystem is known and is readily transformed into a fair PKC by the present invention. In the Dif~ie and H011man scheme, each pair of 15 users X and Y succe~ds, without any interaction, in agreeing upon a common, secre~ key Sx~ to be used as a conventional ~-~
single-key cryptosystem. In the ordinary Diffie-Hellrnan PKC, there are a prime p and a generator ~or high-order element) g t common to all users. User X secretly selects a random integer ~-~n Sx in the interval [1, p-l] as his private key and publicly announces the integer p~ , gSx mod p as his public key.
Another user, Y, will similarly sel~ct Sy as his private key and announc~ py ~ gSY mod p as his public key. The value of t~liS key is determined as sxy ~ gS~Sy mod p. User X computes 25 Sxy by raising Y's public key to his private key mod pX, and _~ .
C ~
2~8~9~ :
us~r Y by raising X~s public key to his secret key mod p. In fact: ;
( g X ) Sy = g SxSy = Sxy D 9 Sys2 = ( 9 S~ ) S X mo~ P
While it is easy, given 9, p and x, to compute y _ gx mod p, no efficient algorithm is known for computing, given y and p, x such that gx _ y mod p when g has high enough order. This is the discrete logarithm problem. This problem has been used as the basis o~ security in many cryptosystems. The Diffie and Hellman's PKC is transformed into a air one in the following manner.
Each user X randomly chooses 5 integers Sxl, . . . Sx5 in the interval [1, p-l] and lets Sx be their sum mod p. It should be understood that all following operations are modulo p. User X then computes the numbers:
tl , 9Sxl , . , , t5~9sxs and Px ~ gSx~
Px will be User X's public key and Sx his private key. The ti's will be referred to as the public pieces of Px, and the Sxi's as the private pieces. It should be noted that the product of the public pieces equals the public key P2. In fact:
. ' ' . ~' t 8 ~
- tl ................ ts = gSxl ... gSx5 = g(S~ Sxs) = gSx -:
Let Tl,. . . T5 be the five trustees. User X now gl~es Px, the public pieces and Sxl t~ trustee Tl, Px, the public pieces and Sx2 to trustee T2, and so on. Piece Sxi is privately given to trustee Ti. Upon receiving public and private pieces ti and Sxi, trustee Ti verifies whether gS~l , Ti. If so, the ~:
trustee stores the pair (Px, Sxi), signs the sequence ;
(Px,tl,t2,t3,t4,t5) and gives the signed sequence to the key lO management center 24 (or to user ~, who will then give all of:~
the signed public pieces at once to the key management center). Upon receiving all the signed sequences relative to a given public key Px, the key management center verifies that these sequences contain the same subsequence of public pieces tl...t5 and that the product of the public pieces indeed equals Px. If so, center 24 approves Px as a public key and distributes it as in the original scheme (e.g., signs it and gives it to user X). The encryption and decryption instructions for any pair of users X and Y are e~actly as in tlle Di~fie and Hellman scheme (i.e., with co~mon, secret key Sxy) .
This way of proceeding matches the previously-described way of constructing a fair PKC. A still fair version of the Diffie-Hellman scheme can be obtained in a simpler manner ~y 25 having the user give to each trustee Ti just the puhlic piece:~
ti and its corresponding private piece Sxi, and have the user , 2118~3 give the key management center the public key Px. The center will approve Px only if it receives all public pieces, signed by the proper trustee, and the product of these public pieces equals Px. In this way, trustee Ti can verify that Sxi is the discrete logarithm of public piece ti. Such trustee cannot quite verify that Sxi is a legitimate share of Px since the trustee has not seen Px or the other public pieces.
Nonetheless, the result is a fair PKC based on the Diffie-Hellman scheme because properties (1)-(3) described above are still satisfied.
Either one of the above-d~scribed fair PKC has the same degree of privacy of communication offered by the underlying Diffie-Hellman scheme. In fact, the validation of a public key does not compromise the corresponding private key. Each trustee Ti receives, as a special piece, the discrete logarithm, S$i~ of a random number, ti. This information is clearly irrelevant fr computing the discrete logarithm of Px.
The same is actually true for any 4 of the trustees taken together, since any four special pieces are independent of the private decryption key Sx. Also ~he key management center does not poss2ss any information relevant to the private key;
i.e., the discrete logarithm of Px. All the center has are the public pieces respectively signed by the trustees. The public pieces simply are 5 random numbers whose product is Px. This type of information is irrelevant for computing the discrete loqarithm of Px; in fact, any one could choose four :
~r. .
~``
integers at random and setting the fifth to be Px divided by the product o~ the first four. T~le result would be integral because division is modulo p. As for a trustee's signature, this just represents the promise that someone else has a secret piece.
Even the information in the hands of the center together with any four of the trustees is irrelevant for computing the private key Sx. Thus, not only is the user guaranteed that the validation procedure will not betray his private key, but he also knows that this procedure has been properly followed because it is he himself that computes his own keys and the pieces of his private one.
Second, if the key management center ~alidates the public key P~, then its private key is guararlteed to he reconstructable by the government in case of a court order.
In fact, the center receives all 5 public pieceis of Px, each signed by the proper trustee. These signatures testify that trustee Ti possesses the discrete logarithm of public piece ti. Since the center verifies that the product of the publio pieces equals P~, it also knows that the sum of the secret pieces in storage with the trustees equals the discrete logarithm of Px; i.e, user X's private key. Thus the center knows that, if a court order were issued requesting the private key of X, the government is guaranteed to obtain the needed private key by sunming the values received by the trustees.
RSA Fair PKC:
The followillg describes a fair PKC based on the known RSA
function. In the ordinary RSA PKC, the public key con~ists of an integer N product of two primes and cne expo~ent e (relatively prime with f(N), where F is Euler's quotient fun~tion). No matter what the exponent, the private key may always be chosen to be N's factorization. By way of brief ~ackgrourld, the RSA scheme has certain characteristics that derive from aspects of number theory:
Fact 1. Let ZN d~note the multiplicative group of the integers between 1 and N and relatively prime with N. If N is the product of two primes N~pq (or two prime powers: N~papb~, then 5 (1) a number s in ZN i5 a square mod N if and only if it has four distinct square-roots mod N: x, -x mod N, y, and -y mod N (i.e., ~2 ~ y2 = s mod N). Moreover, from th~
greatest common divisor of + -~ + -y and N, one easily computes the factorization of N. Also;
~2) one in four of the numbers in ZN is a square mod N.
~ Fact 2. Among the integers in ZN is defined a function, _ ;l the Jacobi symbol, that evaluates easily to either 1 or ~
2S The Jacobi symbol of x is denoted by ~s/N3. The Jacobi symbol is multiplicative; i.e., (x~N)(Y/N) ~ ~xy~N). If N is the ~:
, ~'..
product of two prilnes N-pq (or two prime powers: N~papb), ~he p and 1 are congruent to 3 mod 4. Then, if + -x and ~ -y are the four square roots of a square mod N (s/N)=(-x/N)=+l and (y/N) - (-y/N) =-1. Thus, because of Fact 1, if one is given a Jacobi symbol 1 root and a Jacobi symbol 1 root of any square, he can easily factor N.
With this background, the following describes how the RSA
cryptosystern can be made fair in a simple way. For simplici~y again assume there are five trustees and that all of them must colla~orate to reconstruct a secret key, while no four of them can even predict it. The RSA cryptosystem is easily converted illto a fair PKC by efficiently sharing with the trustee's N's Eactorization. In particular, the trustees are privately provided information that, perhaps together with other given common information, enables one to reconstrust two (or more) square roots x and y (~ different from ~y mod N3 of a cornmon square mod N. The given common information may be the -1 Jaco~i symbol root o X~, which is equal to y.
A user chooses P and Q primes congruent to 3 mod 4, as his private key and ~ ~ PQ as his public key. Then he chooses 5 Jacobi 1 i~tegers Xl, X2~ X3, X~ and X5 (preferably at random) in ZN~ and computes their product, X, and Xi2 ntod N
~or all i - 1, . . . ,5. The product of the last 5 squares, Z, is itsel a square. One square root of Z mod N is X, 25 which has Jacobi symbol equal to 1 (since the Jacobi symbol is ~ `~
multiplicative). The user computes Y, one of the Jacobi -1 .
2 ~ L~ 9 ~
roots mod N; Xl, . . . X5 will be the public piec2s of public key N and the ~i s the private pieces. The user gives trustee Ti private piece Xi (and possibly the corresponding public piece, all other public pieces and Px, depending on whether it S is desired that the verification of the shares so as to satisfy properties (1~-(3) is performed by both trustees and the center, or the trustees alone). Trustee Ti squares Xi mod N, gives the key management center his signature of Xi2, and stores Xi.
10 The center first checks that (~l/N),l, i.e~, for all x: ~-(x~N) ~ (-x/N). This is partial evi~ence that N is of the right form. Upon receiving the valid signature of the public pieces o~ N and the Jacobi -1 value Y from the user, the ce~ter ch~cks whether mod N the square of Y equals the product of the five public piecesO If so, it checks, possibly with the help of the user, that N is the product of two prime .
powers. If so, the center approves N.
The reasoning behind the scheme is as follows. The -trustees' signatures of the Xi2~s (mod N~ guarantee the center that every trustee Ti has stored a Jacobi symbol 1 root of Xi2 mod N. Thus, in case of a court order, all these Jacobi symbol 1 roots can be retrieve~. Their product, mod N, will also have Jaco~i symbol 1, slnce this function is multiplicative, and will be a root of x2 mod N. ~ut since the center has veriied that y2 ~ x2 mod N, one would have tWG
roots X and Y of a common square mod N. Moreover, Y is .
'~1 1,8ll93 diferent ~rom X since it has different Jacobi symbol, and ~ -is also different from -x, since (-x/N) ~ (s/N) because (a) (-l/N) has been checked to be 1 and (b) the Jacobi symbol is multiplicative. Possession of such square roots, by Facts 1 and 2, is equivalent to having the factorization of N, provided that N is product of at most two prime powers. This last property has also been checked by the center before it has approved N.
Verification that N is the product of at most two prime powers can be performed in various ways. For instance, the center and user can engage in a zero-knowledge proof of this fact. Alternatively, the user may provide the center with the square root mod N for roughly 1/4 of the integers in a prescribed and random enough sequence o~ integers. For instance, such a sequence could be determined by one-way hashing N to a short seed and then expanding it into a longer : :
sequence using a psuedo-random generator. If a dishonest user has chosen his N to be the product of three or rnore prime powers, then it would be foolish for him to hope that roughly 1/4 of t~e integers in the seqllence are squares mod N. In fact, for his choice of N, at most 1/8 of the intec3ers have square roots mod N.
Variations The above schemes can be modified in many ways. For instance, the proof that N is product of two prime powers can be done by the trustees (in collaboration with the user), who ..
~ 3 then inform the center of their findings. Also, the scheme can be modified so that the cooperation of the majority of the trustees is sufficient for reconstructing the secret key, while any minority cannot gain any information about the secret key. Also, as with all fair cryptosystems, one can arrange that when the government asks a trustee for his piece of the secret key of a user, the trustee does not learn about the identity of th~ user. The variations are discussed in more detail below.
In particular, the schemes described above are robust in ~ ~
the sense that some trustees, accidentally or maliciously, may ~ ~-reveal the shares in their posses~ion without compromising the security of the system. However, these schemes r~ly on the Eact that the trustees will colla~orate during the reconstruction stage. In fact, it was insisted that all of the shares should be needed Eor recovering a secret k~y. This requirement may he disadvantageous, eithex becausa some trustees may reveal to be untrustworthy and refuse to give the government the key in their possession, or because, despite all file backups, the trustee may haYe genuinely lost the information in its possession. Whatever the reason, in this circumstance the reconstruction of a secret key will be prev~nted. This problem is also solved by the present invention.
By way of background, "secret sharing" (with parameters n,T,t) ~s a prior cryptographic scheme consisting of two .. ' .' ~:
_ 20 ~
~ , ',:
r~
phases: in-phase one a secret value chosen by a distinguished person, the dealer, is put in safe storage with n people or computers, the trustees, by giving each one of them a piece o information. In phase two, when the trustees pool together the informakion in their possession, the secret is recovered.
Secret sharing has a rnajor disadvantage -- it presupposes that the dealer gi~es the trustees correct shares (pieces of information) about his secret value. "Verifiable Secret Sharing" (VSS) solves this "honesty" problem. In a VSS
scheme, each trustee can verify that the share gi~en to him is genuine without knowing at all the shares of other trustees of the secret itself. Specifically, the trustee can verify that, i T verified shares are revealed, the original secret will be recons~rl1cted, no matter what the dealer or dishonest trustees might do.
The a~ove-described fair PKC schemes are based on a properly structured, non-interactive verifiable secret sharing ; scheme with parameters n-5, T~5 and ~,4. According to the present invention, it may be desira~le to have different values of these parameters, e.g., n~5, TD3 and t~2. In such case, any majority of the trustees can recover a secret key, whi le no minority of trust~es can predict it all. This is achieved as follows ~and be simply generalized to any desired values of n, T and t in which T?t).
2~
~.
~, :
Su~s~ L~l~e Diffie-Hellman Scheme~
After choosing a secret key Sx in [1, p-1], user X
computes his public key Px , gSx mod p (with all computations below being mod p). User X now considers all triplets of numbers ~etween 1 and 5: (1,2,3), (Z,3,4) etc. For each triplet (a,b,c), user X randomly chooses three integers Slabc, ..., S3abc in the interval [1, p-l] so that their surn mod p equals Sx. Then he computes the numbers:
_ lO:l tlabc = gSlabC~ t2abc = gS2abc, t3abc39S3abc The tiabc's will be referred to as public pieces of Px, and the Siabc's as private pieces. ~gain, the product of the public pieces eq~als the public key Px. In fact, s tlabc t2abc t3abc ., 9slabc.gs2abc.gs3ab , g (Slabc+ .~.S3abc), gSx, Px User X then gives trustee ~a tla~c and Slabc, trustee Tb t2abc and SZabc, and trustee Tc t3abc and S3abc, always specifying the triplet in question. Upon receiving these quantities, trustee Ta ~all other trustees do something similar3 verifies th t tlabc ~ gSlabc~ signs the value (Px, tlabc, (a,b,c)) and gives the signature to the management center.
2S The key manageMent center, for each triple (a~b,c), retrieves the values tlabc, ~2abc and t3abc from the signed - 2 ~ 9 3 ~ ;
information received from trustees, Ta, Tb and Tc. I the product of these three values equals Px and the signatures are valid, the center approves P~ as a public key.
The reason the scheme works, assuming that at most 2 trustees are untrustworthy, is that all secret pieces of a triple are needed for computing (or predicting~ a secret key.
Thus no secret key in the system can be retrieved by any 2 trustees. On the other hand, after a court order at least three trustees reveal all the secret pieces in their possession about a given public key. The governm2nt then has all the necessary secret pieces for at least one triple, and thus can compute easily the desired secret kèy.
Alternatively, each trustee is replaced by a group of new trustees. For instance, instead of a single trustee Ta, there may be three trustees: Tal, Ta2 and Ta3. Each of these trustees will receive and check the same share o~ trustee Ta.
In Lhis way it is very unlikely that all three trustees will refuse to surrender ~heir copy of the first share.
After having insured that a few potentially malicious -trustees cannot prevent reconstruction of the key, there are still further security issues to address, namely~ a trust~e --requested by a court order to surrender his share of a given secret key -- may alert the owner of that key that his co~nunications are about to be monitored. This problem i5 also solved by the invention. A simple solution arises if the cryptosystem used b~ the trustees possess certain algebraic 8 ~ ~ 3 -properties; This is illustrated for the Diffie-Hell~an case, though the same result occurs for the RSA scheme. In the following discussion, for simplicity it is assumed that all trustees collaborate in t~e reconstruction of the secret key.
Qblivious an~ Fair Diffie-Hellman Scheme:
Assume that all trustees use deterministic RSA for receiving private messages. Thus, let Ni be the public RSA
modulus o trustee Ti and ei his encryption exporlent (i.e., to send Ti a message m in encrypted form, one would send mei mod Ni).
User U prepares his public and secret key, respectively Px and Sx ~thus Px ~ gS~ mod p), as well as his public and secret pieces of the secret key, respectively ti and Sxi's il (thus Px , tl, t2 ... t5 mod p and ti ~ gSxi mod p ror all i). Then, the user gives to the key management center Px, all ot the ti's and the n values Ui , (Sxi)3 mod Ni; i.e., he encrypts the i-th share with the public key of trustee Ti.
Since '~he center does not know the factorization of ~he Ni's, this is not useful information to predict Sx, nor can the center veri~y that the decryption of the n ciphertexts are proper shares of S~. For this, the center will seek the cooperation of the n trustees, but without informing them of the identity of the user as will be described.
The center stores the values tj's and Uj's relative to user U and then forwards Ui and ti to trustee Ti. If every . . ' . .
::
~ 24 - ~
:::
,.,",;~ ,.. "~,.,~,.. ,.;,,,,,,",................. .... ..
2 ~ 9 ~ :
,~`
trustee Ti verified that the decryption of Ui is a proper private piece relative to ti, the center approves Px.
Assume now that the iudicial authority decides to monitor user U's communications. To lawfully reconstruct secret key Sx without leaking to a trustee the identity of the suspecte~
user U, a judge (or another authorized representative) randomly selects a number Ri mod Ni and computes yi , Ri ei mod Ni. Then, he sends trustee Ti the value zi ~ Ui-yi mod Ni, asking with a court order to compute and send back wi, the ei-th root of zi mod Ni. Since zi is a random number mod Ni, no matter what the value o Ui is, trustee Ti cannot guess the identity of the user U in question. Moreover, since zi is the product of Ui and yi mod Ni, the ei-th root of zi is the product mod Ni of the ei-th root of Ui (i.e., Sxi) and the ei-th root of yi (i.e., Ri). Thus, upon receiving wi, the judge divides it by yi mod Ni, thereby computing the desired Sxi. The product of these S~i's equals the desired Sx.
Further variation~:
In other variations of the invention, in case of a COUlt order, the government is only authorized to understand the messages concerning a given user for a limited amount of time. The collective approval of all trustees may stand for the government approval. Also, trustees need not store their piece of the private key. The encryption of this piece -- in the trustee's public key and signed by the trustee -- can be made part of the user's pnblic key. In this way, the pu~lic . ' ..
key carries the proof of its own allthenticity and verification. In t~e latter case it may be advantageous to break the trustee~s private keys into pieces.
If the user is an electronic device, such as an integrated circuit chip, the basic process of key selection and public-key validation can be done before the device leaves the factory. In this case, it may be advantageous that a "copy" of the trustee can be maintained within the factory.
copy of a trustee is a physically secure chip -- one whose - 10 data cannot be read -- containing a copy of the trustee's decryption key. The trustee (i.e., the party capable of giving the piece of a private key under a court order) need not necessarily coincide with this device. ;~
In another variation, it may be arranged that the trustees each a have piece of the government private key, and ~ that each user's private key is encrypted with the public key ~:
o~ the government.
While the use of a fair PKC in a telecommunications network (and under the authority of the government) has been described, such description is not meant to be taken by way of limitation. A fair P~C can be used in private organizations ~ ~-as well. For e~ample, in a large organiz~tion where there is a need for privacy, assume there is an established "superior"
but not all employees can be trusted since there are too many of them. The need for privacy requires the use of encryption. Because not all employees can be trusted, using a ~ 8 ~ ~ 3 single encryption key for the whole company is unacceptable, as is using a number of single-key cryptosystems (since this would generate enormous key-distribution problems). Having each employee use his own double-key system is also dangerous, since ~le or she might conspire against the company with great secrecy, impunity and convenience.
In such application of a fair PKC, numerous advantages are obtained. First, each employee is in charge of choosing his own keys. While enjoying the advantages of a more distributed procedure, the organization retains absolute control because the superior is guaranteed to be able to decrypt every employee's communications when necessary. There is no need to change keys when the superior changes because the trustees need not be changed. The trustees' storage places need less surveillance, since only compromising all of them will give an adversary any advantage.
For making fair a private key cryptosystem, but also or a PKC, it i5 desirable that each trustee first deposits an encrypted version or otherwise committed version of tliS share, so that, whe~ he is asked to reveal what his share was, he cannot change his mind about its value. Also, it is desirable that the user gives his shares to the trustees signed; such signatures can be relative to a different public key (if they are diqital signatures) or to the same new public key if the new key can be used for signing ~s well. In this way, the share revealed by the trustee clearly proves that it way 2 ~ 3 originated; ~etter still, the user may sign (with the trustee's key) the encryption of the share given to a trustee, and the signature can be revealed together with the~share.
This approach insures that one can both be certain that what was revealed was a share approved by the user and also that the trustees and the user cannot collaborate later on in changing its value.
It should be appreciated by those skilled in the art that the specific embodiments disclosed above may be readily utilized as a basis or modifying or designing other techniques and processes for carrying out the same purposes of the present invention. It should also be realized by those skilled in the art that such equivalent constructions do not depart from the spirit and scope of the invention as set forth in the appended claims.
Claims (18)
1. A method, using a public-key cryptosystem, for enabling a predetermined entity to monitor communications of users suspected of unlawful activities while protecting the privacy of law-abiding users, wherein each user is assigned a pair of matching secret and public keys, comprising the steps of:
breaking each user's secret key into shares;
providing trustees pieces of information enabling the trustees to verify that the pieces of information include shares of a secret key of some given public key; and upon a predetermined request, having the trustees reveal the shares of the secret key of a user suspected of unlawful activity to enable the entity to attempt reconstruction of the secret key for monitoring communications to the suspect user.
breaking each user's secret key into shares;
providing trustees pieces of information enabling the trustees to verify that the pieces of information include shares of a secret key of some given public key; and upon a predetermined request, having the trustees reveal the shares of the secret key of a user suspected of unlawful activity to enable the entity to attempt reconstruction of the secret key for monitoring communications to the suspect user.
2. The method as described in Claim 1 wherein the predetermined entity is a government agency and the predetermined request is a court order.
3. The method as described in Claim 1 wherein the identity of the suspect user is known to the trustees.
4. The method as described in Claim 1 wherein the identity of the suspect user is unknown to the trustees.
5. The method as described in Claim 1 further including the step of:
characterizing the suspect user's activities as unlawful if the entity is unable to monitor the suspect user's communications.
characterizing the suspect user's activities as unlawful if the entity is unable to monitor the suspect user's communications.
6. The method as described in Claim 1 wherein less than all of the shares of the suspect user's secret key are required to be revealed in order to reconstruct the secret key.
7. The method as described in Claim 1 wherein the shares are revealed to the entity upon the predetermined request.
8. The method as described in Claim 1 wherein a given minority of trustees are unable to reconstruct the secret key.
9. The method as described in Claim 1 wherein each trustee can verify that the pieces of information provided include a share of the secret key without interaction with any other trustee.
10. A method, using a public-key cryptosystem into a cryptosystem, for enabling a predetermined entity to monitor communications of users suspected of unlawful activities while protecting the privacy of law-abiding users, comprising the step of:
verifiably secret sharing each user's secret key with a plurality of trustees so that each trustee can verify that the share received is part of a secret key of some public key.
verifiably secret sharing each user's secret key with a plurality of trustees so that each trustee can verify that the share received is part of a secret key of some public key.
11. A method, using a public-key cryptosystem, for enabling a predetermined entity to monitor communications of users suspected of unlawful activities while protecting the privacy of law-abiding users, wherein each user is assigned a pair of matching secret and public keys, comprising the steps of:
breaking each user's secret key into shares;
providing trustees pieces of information that include shares of a secret key of some given public key; and upon a predetermined request, having the trustees reveal the shares of the secret key of a user suspected of unlawful activity to enable the entity to reconstruct the secret key and monitor communications to the suspect user.
breaking each user's secret key into shares;
providing trustees pieces of information that include shares of a secret key of some given public key; and upon a predetermined request, having the trustees reveal the shares of the secret key of a user suspected of unlawful activity to enable the entity to reconstruct the secret key and monitor communications to the suspect user.
12. The method as described in claim 10 further including the step of:
characterizing the suspect user's activities as unlawful if the entity is unable to monitor the suspect user's communications.
characterizing the suspect user's activities as unlawful if the entity is unable to monitor the suspect user's communications.
13. The method as described in Claim 10 wherein a given minority of trustees are unable to reconstruct the secret key.
14. The method as described in Claim 10 wherein each trustee can verify that the pieces of information provided include a share of the secret key without interaction with any other trustee.
15. A method, using a cryptosystem, for enabling a predetermined entity to monitor communications of users suspected of unlawful activities while protecting the privacy of law-abiding users, wherein a group of users has a secret key, comprising the steps of:
breaking the secret key into shares;
providing trustees pieces of information that include shares of the secret key; and upon a predetermined request, having the trustees reveal the shares of the secret key of a user suspected of unlawful activity to enable the entity to reconstruct the secret key and monitor communications to the suspect user.
breaking the secret key into shares;
providing trustees pieces of information that include shares of the secret key; and upon a predetermined request, having the trustees reveal the shares of the secret key of a user suspected of unlawful activity to enable the entity to reconstruct the secret key and monitor communications to the suspect user.
16. The method as described in Claim 15 further including the step of:
characterizing the suspect user's activities as unlawful if the entity is unable to monitor the suspect user's communications.
characterizing the suspect user's activities as unlawful if the entity is unable to monitor the suspect user's communications.
17. The method as described in Claim 15 wherein a given minority of trustees are unable to reconstruct the secret key.
18. The method as described in Claim 15 wherein each trustee can verify that the pieces of information provided include a share of the secret key without interaction with any other trustee.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US870,935 | 1992-04-20 | ||
| US08049929 US5315658B1 (en) | 1992-04-20 | 1993-04-19 | Fair cryptosystems and methods of use |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CA2118493A1 true CA2118493A1 (en) | 1994-10-21 |
Family
ID=21962505
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA002118493A Abandoned CA2118493A1 (en) | 1992-04-20 | 1993-04-20 | Fair cryptosystems and methods of use |
Country Status (6)
| Country | Link |
|---|---|
| US (1) | US5315658B1 (en) |
| EP (1) | EP0695485B1 (en) |
| AT (1) | ATE202440T1 (en) |
| CA (1) | CA2118493A1 (en) |
| DE (1) | DE69427534D1 (en) |
| WO (1) | WO1994026044A2 (en) |
Families Citing this family (135)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5418854A (en) * | 1992-04-28 | 1995-05-23 | Digital Equipment Corporation | Method and apparatus for protecting the confidentiality of passwords in a distributed data processing system |
| US5491752A (en) * | 1993-03-18 | 1996-02-13 | Digital Equipment Corporation, Patent Law Group | System for increasing the difficulty of password guessing attacks in a distributed authentication scheme employing authentication tokens |
| WO1995005712A2 (en) * | 1993-08-13 | 1995-02-23 | Frank Thomson Leighton | Secret key exchange |
| CA2176032A1 (en) * | 1994-01-13 | 1995-07-20 | Bankers Trust Company | Cryptographic system and method with key escrow feature |
| US5712913A (en) * | 1994-02-08 | 1998-01-27 | Digicash Incorporated | Limited-traceability systems |
| US5481613A (en) * | 1994-04-15 | 1996-01-02 | Northern Telecom Limited | Computer network cryptographic key distribution system |
| US5557346A (en) * | 1994-08-11 | 1996-09-17 | Trusted Information Systems, Inc. | System and method for key escrow encryption |
| US5557765A (en) * | 1994-08-11 | 1996-09-17 | Trusted Information Systems, Inc. | System and method for data recovery |
| WO1996005674A1 (en) * | 1994-08-12 | 1996-02-22 | Frank Thomson Leighton | Failsafe key escrow system |
| US5615268A (en) * | 1995-01-17 | 1997-03-25 | Document Authentication Systems, Inc. | System and method for electronic transmission storage and retrieval of authenticated documents |
| US7743248B2 (en) * | 1995-01-17 | 2010-06-22 | Eoriginal, Inc. | System and method for a remote access service enabling trust and interoperability when retrieving certificate status from multiple certification authority reporting components |
| US6237096B1 (en) | 1995-01-17 | 2001-05-22 | Eoriginal Inc. | System and method for electronic transmission storage and retrieval of authenticated documents |
| US7162635B2 (en) * | 1995-01-17 | 2007-01-09 | Eoriginal, Inc. | System and method for electronic transmission, storage, and retrieval of authenticated electronic original documents |
| US5748738A (en) * | 1995-01-17 | 1998-05-05 | Document Authentication Systems, Inc. | System and method for electronic transmission, storage and retrieval of authenticated documents |
| US6272632B1 (en) | 1995-02-21 | 2001-08-07 | Network Associates, Inc. | System and method for controlling access to a user secret using a key recovery field |
| US5564106A (en) * | 1995-03-09 | 1996-10-08 | Motorola, Inc. | Method for providing blind access to an encryption key |
| US5633928A (en) * | 1995-03-10 | 1997-05-27 | Bell Communications Research, Inc. | Key escrow method with warrant bounds |
| US5826245A (en) * | 1995-03-20 | 1998-10-20 | Sandberg-Diment; Erik | Providing verification information for a transaction |
| US5553145A (en) * | 1995-03-21 | 1996-09-03 | Micali; Silvia | Simultaneous electronic transactions with visible trusted parties |
| US6134326A (en) * | 1996-11-18 | 2000-10-17 | Bankers Trust Corporation | Simultaneous electronic transactions |
| US6141750A (en) * | 1995-03-21 | 2000-10-31 | Micali; Silvio | Simultaneous electronic transactions with subscriber verification |
| US6137884A (en) * | 1995-03-21 | 2000-10-24 | Bankers Trust Corporation | Simultaneous electronic transactions with visible trusted parties |
| WO1996029795A1 (en) * | 1995-03-21 | 1996-09-26 | Silvio Micali | Simultaneous electronic transactions |
| US5559889A (en) * | 1995-03-31 | 1996-09-24 | International Business Machines Corporation | System and methods for data encryption using public key cryptography |
| NZ306846A (en) * | 1995-06-05 | 2000-01-28 | Certco Llc | Digital signing method using partial signatures |
| US5768389A (en) * | 1995-06-21 | 1998-06-16 | Nippon Telegraph And Telephone Corporation | Method and system for generation and management of secret key of public key cryptosystem |
| US7600129B2 (en) | 1995-10-02 | 2009-10-06 | Corestreet, Ltd. | Controlling access using additional data |
| US7716486B2 (en) | 1995-10-02 | 2010-05-11 | Corestreet, Ltd. | Controlling group access to doors |
| US7337315B2 (en) | 1995-10-02 | 2008-02-26 | Corestreet, Ltd. | Efficient certificate revocation |
| US7353396B2 (en) | 1995-10-02 | 2008-04-01 | Corestreet, Ltd. | Physical access control |
| US7822989B2 (en) * | 1995-10-02 | 2010-10-26 | Corestreet, Ltd. | Controlling access to an area |
| US8015597B2 (en) | 1995-10-02 | 2011-09-06 | Corestreet, Ltd. | Disseminating additional data used for controlling access |
| US6766450B2 (en) * | 1995-10-24 | 2004-07-20 | Corestreet, Ltd. | Certificate revocation system |
| US7660994B2 (en) * | 1995-10-24 | 2010-02-09 | Corestreet, Ltd. | Access control |
| US8732457B2 (en) * | 1995-10-02 | 2014-05-20 | Assa Abloy Ab | Scalable certificate validation and simplified PKI management |
| US8261319B2 (en) | 1995-10-24 | 2012-09-04 | Corestreet, Ltd. | Logging access attempts to an area |
| US5720034A (en) * | 1995-12-07 | 1998-02-17 | Case; Jeffrey D. | Method for secure key production |
| US6026163A (en) * | 1995-12-13 | 2000-02-15 | Micali; Silvio | Distributed split-key cryptosystem and applications |
| US5764772A (en) * | 1995-12-15 | 1998-06-09 | Lotus Development Coporation | Differential work factor cryptography method and system |
| GB2308282B (en) * | 1995-12-15 | 2000-04-12 | Lotus Dev Corp | Differential work factor cryptography method and system |
| US5812670A (en) * | 1995-12-28 | 1998-09-22 | Micali; Silvio | Traceable anonymous transactions |
| US5787169A (en) | 1995-12-28 | 1998-07-28 | International Business Machines Corp. | Method and apparatus for controlling access to encrypted data files in a computer system |
| US5615269A (en) * | 1996-02-22 | 1997-03-25 | Micali; Silvio | Ideal electronic negotiations |
| US5666414A (en) * | 1996-03-21 | 1997-09-09 | Micali; Silvio | Guaranteed partial key-escrow |
| US5815573A (en) * | 1996-04-10 | 1998-09-29 | International Business Machines Corporation | Cryptographic key recovery system |
| US6901509B1 (en) | 1996-05-14 | 2005-05-31 | Tumbleweed Communications Corp. | Apparatus and method for demonstrating and confirming the status of a digital certificates and other data |
| US5903651A (en) | 1996-05-14 | 1999-05-11 | Valicert, Inc. | Apparatus and method for demonstrating and confirming the status of a digital certificates and other data |
| US5638447A (en) * | 1996-05-15 | 1997-06-10 | Micali; Silvio | Compact digital signatures |
| US5796830A (en) * | 1996-07-29 | 1998-08-18 | International Business Machines Corporation | Interoperable cryptographic key recovery system |
| CA2261947C (en) * | 1996-08-07 | 2008-11-18 | Silvio Micali | Simultaneous electronic transactions with visible trusted parties |
| US5764767A (en) * | 1996-08-21 | 1998-06-09 | Technion Research And Development Foundation Ltd. | System for reconstruction of a secret shared by a plurality of participants |
| US5937066A (en) * | 1996-10-02 | 1999-08-10 | International Business Machines Corporation | Two-phase cryptographic key recovery system |
| US5949882A (en) * | 1996-12-13 | 1999-09-07 | Compaq Computer Corporation | Method and apparatus for allowing access to secured computer resources by utilzing a password and an external encryption algorithm |
| US6400823B1 (en) | 1996-12-13 | 2002-06-04 | Compaq Computer Corporation | Securely generating a computer system password by utilizing an external encryption algorithm |
| US5960084A (en) * | 1996-12-13 | 1999-09-28 | Compaq Computer Corporation | Secure method for enabling/disabling power to a computer system following two-piece user verification |
| JPH10198272A (en) * | 1996-12-27 | 1998-07-31 | Canon Inc | Key managing method, ciphering system, and decentralized digital signature system with hierarchy |
| US5953422A (en) * | 1996-12-31 | 1999-09-14 | Compaq Computer Corporation | Secure two-piece user authentication in a computer network |
| US6581162B1 (en) | 1996-12-31 | 2003-06-17 | Compaq Information Technologies Group, L.P. | Method for securely creating, storing and using encryption keys in a computer system |
| US5887131A (en) * | 1996-12-31 | 1999-03-23 | Compaq Computer Corporation | Method for controlling access to a computer system by utilizing an external device containing a hash value representation of a user password |
| US5907618A (en) * | 1997-01-03 | 1999-05-25 | International Business Machines Corporation | Method and apparatus for verifiably providing key recovery information in a cryptographic system |
| US5920630A (en) * | 1997-02-25 | 1999-07-06 | United States Of America | Method of public key cryptography that includes key escrow |
| JP3656688B2 (en) * | 1997-03-31 | 2005-06-08 | 栄司 岡本 | Cryptographic data recovery method and key registration system |
| US6335972B1 (en) | 1997-05-23 | 2002-01-01 | International Business Machines Corporation | Framework-based cryptographic key recovery system |
| US6389136B1 (en) | 1997-05-28 | 2002-05-14 | Adam Lucas Young | Auto-Recoverable and Auto-certifiable cryptosystems with RSA or factoring based keys |
| US6282295B1 (en) | 1997-10-28 | 2001-08-28 | Adam Lucas Young | Auto-recoverable and auto-certifiable cryptostem using zero-knowledge proofs for key escrow in general exponential ciphers |
| US6122742A (en) * | 1997-06-18 | 2000-09-19 | Young; Adam Lucas | Auto-recoverable and auto-certifiable cryptosystem with unescrowed signing keys |
| US6243466B1 (en) | 1997-08-29 | 2001-06-05 | Adam Lucas Young | Auto-escrowable and auto-certifiable cryptosystems with fast key generation |
| US6202150B1 (en) | 1997-05-28 | 2001-03-13 | Adam Lucas Young | Auto-escrowable and auto-certifiable cryptosystems |
| US6314190B1 (en) | 1997-06-06 | 2001-11-06 | Networks Associates Technology, Inc. | Cryptographic system with methods for user-controlled message recovery |
| US7290288B2 (en) | 1997-06-11 | 2007-10-30 | Prism Technologies, L.L.C. | Method and system for controlling access, by an authentication server, to protected computer resources provided via an internet protocol network |
| US6058188A (en) * | 1997-07-24 | 2000-05-02 | International Business Machines Corporation | Method and apparatus for interoperable validation of key recovery information in a cryptographic system |
| US6119228A (en) * | 1997-08-22 | 2000-09-12 | Compaq Computer Corporation | Method for securely communicating remote control commands in a computer network |
| NL1007472C2 (en) * | 1997-11-06 | 1999-05-10 | Koninkl Kpn Nv | Method and device for the secure storage of data from message traffic. |
| US6275939B1 (en) | 1998-06-25 | 2001-08-14 | Westcorp Software Systems, Inc. | System and method for securely accessing a database from a remote location |
| US6611812B2 (en) | 1998-08-13 | 2003-08-26 | International Business Machines Corporation | Secure electronic content distribution on CDS and DVDs |
| US6226618B1 (en) | 1998-08-13 | 2001-05-01 | International Business Machines Corporation | Electronic content delivery system |
| US6983371B1 (en) | 1998-10-22 | 2006-01-03 | International Business Machines Corporation | Super-distribution of protected digital content |
| US6859791B1 (en) | 1998-08-13 | 2005-02-22 | International Business Machines Corporation | Method for determining internet users geographic region |
| US7110984B1 (en) * | 1998-08-13 | 2006-09-19 | International Business Machines Corporation | Updating usage conditions in lieu of download digital rights management protected content |
| US6389403B1 (en) | 1998-08-13 | 2002-05-14 | International Business Machines Corporation | Method and apparatus for uniquely identifying a customer purchase in an electronic distribution system |
| US6959288B1 (en) | 1998-08-13 | 2005-10-25 | International Business Machines Corporation | Digital content preparation system |
| US20010011349A1 (en) * | 1998-09-03 | 2001-08-02 | Greg B. Garrison | System and method for encrypting a data session between a client and a server |
| RU2153191C2 (en) | 1998-09-29 | 2000-07-20 | Закрытое акционерное общество "Алкорсофт" | Method for blind production of digital rsa signature and device which implements said method |
| DE19847941A1 (en) * | 1998-10-09 | 2000-04-13 | Deutsche Telekom Ag | Common cryptographic key establishment method for subscribers involves successively combining two known secret values into a new common value throughout using Diffie-Hellmann technique |
| US6535607B1 (en) | 1998-11-02 | 2003-03-18 | International Business Machines Corporation | Method and apparatus for providing interoperability between key recovery and non-key recovery systems |
| RU2157001C2 (en) | 1998-11-25 | 2000-09-27 | Закрытое акционерное общество "Алкорсофт" | Method for conducting transactions |
| JP2000165373A (en) * | 1998-11-25 | 2000-06-16 | Toshiba Corp | Enciphering device, cryptographic communication system, key restoration system and storage medium |
| US6473508B1 (en) | 1998-12-22 | 2002-10-29 | Adam Lucas Young | Auto-recoverable auto-certifiable cryptosystems with unescrowed signature-only keys |
| US6396929B1 (en) | 1998-12-31 | 2002-05-28 | International Business Machines Corporation | Apparatus, method, and computer program product for high-availability multi-agent cryptographic key recovery |
| US6959390B1 (en) * | 1999-03-03 | 2005-10-25 | International Business Machines Corporation | Data processing system and method for maintaining secure user private keys in non-secure storage |
| US7499551B1 (en) | 1999-05-14 | 2009-03-03 | Dell Products L.P. | Public key infrastructure utilizing master key encryption |
| US6829356B1 (en) * | 1999-06-29 | 2004-12-07 | Verisign, Inc. | Server-assisted regeneration of a strong secret from a weak secret |
| US6944762B1 (en) | 1999-09-03 | 2005-09-13 | Harbor Payments Corporation | System and method for encrypting data messages |
| GB9925227D0 (en) | 1999-10-25 | 1999-12-22 | Internet Limited | Data storage retrieval and access system |
| US7213005B2 (en) | 1999-12-09 | 2007-05-01 | International Business Machines Corporation | Digital content distribution using web broadcasting services |
| US6834110B1 (en) | 1999-12-09 | 2004-12-21 | International Business Machines Corporation | Multi-tier digital TV programming for content distribution |
| FR2804561B1 (en) * | 2000-01-31 | 2002-03-01 | France Telecom | COMMUNICATION METHOD WITH SEQUESTRE AND ENCRYPTION KEY RECOVERY |
| US20030101346A1 (en) * | 2000-02-29 | 2003-05-29 | Barron Austin Kesler | Method for notarizing receipt of electronic communications and enabling electronic registered mail; method for verifying identity of account party |
| US6823070B1 (en) | 2000-03-28 | 2004-11-23 | Freescale Semiconductor, Inc. | Method for key escrow in a communication system and apparatus therefor |
| EP1164745A3 (en) * | 2000-06-09 | 2005-03-30 | Northrop Grumman Corporation | System and method for usage of a role certificate in encryption, and as a seal, digital stamp, and a signature |
| US7028180B1 (en) | 2000-06-09 | 2006-04-11 | Northrop Grumman Corporation | System and method for usage of a role certificate in encryption and as a seal, digital stamp, and signature |
| US20040073617A1 (en) | 2000-06-19 | 2004-04-15 | Milliken Walter Clark | Hash-based systems and methods for detecting and preventing transmission of unwanted e-mail |
| US6978375B1 (en) * | 2000-09-08 | 2005-12-20 | International Business Machines Corporation | System and method for secure authentication of external software modules provided by third parties |
| GB2370471B (en) * | 2000-12-20 | 2004-06-23 | Director Government Comm Headq | Directoryless Public Key Cryptographic System and Method |
| US7197765B2 (en) * | 2000-12-29 | 2007-03-27 | Intel Corporation | Method for securely using a single password for multiple purposes |
| US7181017B1 (en) | 2001-03-23 | 2007-02-20 | David Felsher | System and method for secure three-party communications |
| KR100406754B1 (en) * | 2001-04-11 | 2003-11-21 | 한국정보보호진흥원 | Forward-secure commercial key escrow system and escrowing method thereof |
| DE60215332T2 (en) * | 2001-04-27 | 2007-05-24 | Betrusted Ireland Ltd. | System and method for sharing a common secret |
| WO2002100022A2 (en) * | 2001-06-01 | 2002-12-12 | No Magic, Inc. | Electronic information and cryptographic key management system |
| US6973571B2 (en) * | 2001-07-03 | 2005-12-06 | Bank Of America Corporation | System, apparatus, and method for performing cryptographic validity services |
| US7187772B2 (en) * | 2001-08-31 | 2007-03-06 | Hewlett-Packard Development Company, L.P. | Anonymous transactions based on distributed processing |
| US20040117618A1 (en) * | 2002-03-13 | 2004-06-17 | Kyoko Kawaguchi | Service execution module |
| US20040255137A1 (en) * | 2003-01-09 | 2004-12-16 | Shuqian Ying | Defending the name space |
| US9818136B1 (en) | 2003-02-05 | 2017-11-14 | Steven M. Hoffberg | System and method for determining contingent relevance |
| CA2525398C (en) * | 2003-05-13 | 2014-03-11 | Corestreet, Ltd. | Efficient and secure data currentness systems |
| KR20060097131A (en) * | 2003-11-19 | 2006-09-13 | 코아스트리트 리미티드 | Distributed delegated path discovery and validation |
| US7698557B2 (en) * | 2003-12-22 | 2010-04-13 | Guardtime As | System and method for generating a digital certificate |
| US7752453B2 (en) * | 2004-01-08 | 2010-07-06 | Encryption Solutions, Inc. | Method of encrypting and transmitting data and system for transmitting encrypted data |
| US8031865B2 (en) * | 2004-01-08 | 2011-10-04 | Encryption Solutions, Inc. | Multiple level security system and method for encrypting data within documents |
| US7526643B2 (en) * | 2004-01-08 | 2009-04-28 | Encryption Solutions, Inc. | System for transmitting encrypted data |
| EP1706954B1 (en) * | 2004-01-09 | 2018-07-25 | Assa Abloy Ab | Signature-efficient real time credentials for ocsp and distributed ocsp |
| US7562052B2 (en) * | 2004-06-07 | 2009-07-14 | Tony Dezonno | Secure customer communication method and system |
| US7205882B2 (en) * | 2004-11-10 | 2007-04-17 | Corestreet, Ltd. | Actuating a security system using a wireless device |
| KR20060077808A (en) * | 2004-12-31 | 2006-07-05 | 삼성전자주식회사 | System and method for transmitting and receiving secret information and device and local wireless communication device using the same |
| US8132005B2 (en) * | 2005-07-07 | 2012-03-06 | Nokia Corporation | Establishment of a trusted relationship between unknown communication parties |
| US8874477B2 (en) | 2005-10-04 | 2014-10-28 | Steven Mark Hoffberg | Multifactorial optimization system and method |
| US8566247B1 (en) | 2007-02-19 | 2013-10-22 | Robert H. Nagel | System and method for secure communications involving an intermediary |
| US7966652B2 (en) * | 2008-04-07 | 2011-06-21 | Safemashups Inc. | Mashauth: using mashssl for efficient delegated authentication |
| US7945774B2 (en) * | 2008-04-07 | 2011-05-17 | Safemashups Inc. | Efficient security for mashups |
| US7930542B2 (en) * | 2008-04-07 | 2011-04-19 | Safemashups Inc. | MashSSL: a novel multi party authentication and key exchange mechanism based on SSL |
| WO2015062904A1 (en) * | 2013-10-28 | 2015-05-07 | Kmaas Aps | A system and a method for management of confidential data |
| US9749297B2 (en) | 2014-11-12 | 2017-08-29 | Yaron Gvili | Manicoding for communication verification |
| CN107103470B (en) * | 2017-03-03 | 2021-08-13 | 九次方大数据信息集团有限公司 | Method and system for improving information security in spot transaction process |
| US11115207B2 (en) * | 2018-12-05 | 2021-09-07 | Sidewalk Labs LLC | Identity systems, methods, and media for auditing and notifying users concerning verifiable claims |
| CN109728910A (en) * | 2018-12-27 | 2019-05-07 | 北京永恒纪元科技有限公司 | A kind of efficient thresholding distribution elliptic curve key generates and endorsement method and system |
Family Cites Families (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4405829A (en) * | 1977-12-14 | 1983-09-20 | Massachusetts Institute Of Technology | Cryptographic communications system and method |
| US4375579A (en) * | 1980-01-30 | 1983-03-01 | Wisconsin Alumni Research Foundation | Database encryption and decryption circuit and method using subkeys |
| US5018196A (en) * | 1985-09-04 | 1991-05-21 | Hitachi, Ltd. | Method for electronic transaction with digital signature |
| US4933970A (en) * | 1988-01-19 | 1990-06-12 | Yeda Research And Development Company Limited | Variants of the fiat-shamir identification and signature scheme |
| US5136643A (en) * | 1989-10-13 | 1992-08-04 | Fischer Addison M | Public/key date-time notary facility |
| GB2243577A (en) * | 1990-05-07 | 1991-11-06 | Compeq Manufacturing Co Limite | A method of bonding copper and resin |
| EP0482233B1 (en) * | 1990-10-24 | 1995-03-08 | Omnisec Ag | Cryptographic system allowing encrypted communication between users with a secure mutual cipher key determined without user interaction |
| US5199070A (en) * | 1990-12-18 | 1993-03-30 | Matsushita Electric Industrial Co., Ltd. | Method for generating a public key |
| US5214698A (en) * | 1991-03-20 | 1993-05-25 | International Business Machines Corporation | Method and apparatus for validating entry of cryptographic keys |
| US5276737B1 (en) * | 1992-04-20 | 1995-09-12 | Silvio Micali | Fair cryptosystems and methods of use |
-
1993
- 1993-04-19 US US08049929 patent/US5315658B1/en not_active Ceased
- 1993-04-20 CA CA002118493A patent/CA2118493A1/en not_active Abandoned
-
1994
- 1994-04-19 AT AT94914847T patent/ATE202440T1/en not_active IP Right Cessation
- 1994-04-19 EP EP94914847A patent/EP0695485B1/en not_active Expired - Lifetime
- 1994-04-19 DE DE69427534T patent/DE69427534D1/en not_active Expired - Lifetime
- 1994-04-19 WO PCT/US1994/004325 patent/WO1994026044A2/en active IP Right Grant
Also Published As
| Publication number | Publication date |
|---|---|
| EP0695485A4 (en) | 1997-09-03 |
| DE69427534D1 (en) | 2001-07-26 |
| EP0695485B1 (en) | 2001-06-20 |
| WO1994026044A2 (en) | 1994-11-10 |
| ATE202440T1 (en) | 2001-07-15 |
| WO1994026044A3 (en) | 1995-01-19 |
| US5315658A (en) | 1994-05-24 |
| US5315658B1 (en) | 1995-09-12 |
| EP0695485A1 (en) | 1996-02-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| USRE35808E (en) | Fair cryptosystems and methods of use | |
| AU670587B2 (en) | Verifying secret keys in a public-key cryptosystem | |
| CA2118493A1 (en) | Fair cryptosystems and methods of use | |
| USRE36918E (en) | Fair cryptosystems and methods of use | |
| US5481613A (en) | Computer network cryptographic key distribution system | |
| Micali | Fair public-key cryptosystems | |
| JP4790731B2 (en) | Derived seed | |
| US7409545B2 (en) | Ephemeral decryption utilizing binding functions | |
| US7502467B2 (en) | System and method for authentication seed distribution | |
| US6377688B1 (en) | Cryptographic communication method and system | |
| US7359507B2 (en) | Server-assisted regeneration of a strong secret from a weak secret | |
| KR100406754B1 (en) | Forward-secure commercial key escrow system and escrowing method thereof | |
| US6483920B2 (en) | Key recovery process used for strong encryption of messages | |
| US20060036857A1 (en) | User authentication by linking randomly-generated authentication secret with personalized secret | |
| Micali | Fair cryptosystems | |
| EP1501238B1 (en) | Method and system for key distribution comprising a step of authentication and a step of key distribution using a KEK (key encryption key) | |
| WO1993021708A1 (en) | Verifying secret keys in a public-key cryptosystem | |
| KR20050065978A (en) | Method for sending and receiving using encryption/decryption key | |
| JPH08506217A (en) | Fair encryption system and how to use it | |
| JPH09244531A (en) | Anonymity registration method | |
| Mitchell et al. | The Royal Holloway TTP-based key escrow scheme | |
| Valls et al. | Distributed Virtual Safe-Deposit Box |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| FZDE | Discontinued |